[Openstack] Keystone Fernet Token

Adam Young ayoung at redhat.com
Mon Nov 9 14:52:29 UTC 2015


On 11/07/2015 01:08 PM, Reza Bakhshayeshi wrote:
> Thanks all, specially Rahul,
> I solved the problem temporarily by disabling selinux.

What did you have for an AVC?  It sounds like the issue was The Keystone 
WSGI process reading the Keys file?  Can you post the relevant sections 
from the audit log?

>
> On 3 November 2015 at 07:43, 张家龙 <zhangjl at awcloud.com 
> <mailto:zhangjl at awcloud.com>> wrote:
>
>     Maybe, you should do like follows:
>
>         chown -R keystone:keystone /etc/keystone
>
>     Then, restart the keystone service:
>
>         systemctl restart openstack-keystone
>
>
>
>
>
>     ------------------
>     Best Regards
>     ZhangJialong
>     ------------------ Original ------------------
>     *From: * "Adam Young"<ayoung at redhat.com <mailto:ayoung at redhat.com>>;
>     *Date: * Tue, Nov 3, 2015 11:01 AM
>     *To: * "openstack"<openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>>;
>     *Subject: * Re: [Openstack] Keystone Fernet Token
>     On 10/28/2015 02:23 PM, Reza Bakhshayeshi wrote:
>>     Hi all,
>>
>>     I'm going to use fernet token on OpenStack Kilo (only Keystone
>>     service is installed),
>>     I've configured keystone.conf like:
>>
>>     [token]
>>     provider = keystone.token.providers.fernet.Provider
>>
>>     when I'm running:
>>     keystone-manage fernet_setup --keystone-user keystone
>>     --keystone-group keystone
>>
>>     keys creating successfully in /etc/keystone/fernet-keys directory.
>>     But when I'm going to creating a token I receive the following
>>     error, here is the complete log:
>>
>>     2015-10-28 21:22:14.680 65218 INFO keystone.common.wsgi [-] GET /?
>>     2015-10-28 23:50:25.343 9377 INFO
>>     keystone.token.providers.fernet.utils [-] [fernet_tokens]
>>     key_repository does not appear to exist; attempting to create it
>>     2015-10-28 23:50:25.344 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Created a new key:
>>     /etc/keystone/fernet-keys/0
>>     2015-10-28 23:50:25.344 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Starting key rotation
>>     with 1 key files: ['/etc/keystone/fernet-keys/0']
>>     2015-10-28 23:50:25.344 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Current primary key is: 0
>>     2015-10-28 23:50:25.345 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Next primary key will be: 1
>>     2015-10-28 23:50:25.345 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Promoted key 0 to be
>>     the primary: 1
>>     2015-10-28 23:50:25.345 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Created a new key:
>>     /etc/keystone/fernet-keys/0
>>     2015-10-28 23:50:25.345 9377 INFO
>>     keystone.token.providers.fernet.utils [-] Excess keys to purge: []
>>     2015-10-28 23:50:52.632 8059 INFO keystone.common.wsgi [-] POST
>>     /tokens?
>>     2015-10-28 23:50:52.889 8059 ERROR
>>     keystone.token.providers.fernet.utils [-] Either [fernet_tokens]
>>     key_repository does not exist or Keystone does not have
>>     sufficient permission to access it: /etc/keystone/fernet-keys/
>>     2015-10-28 23:50:52.890 8059 WARNING keystone.common.wsgi [-] No
>>     encryption keys found; run keystone-manage fernet_setup to
>>     bootstrap one.
>>
>>     while the permissions seem to be correct:
>>
>>     # ls -lah /etc/keystone/
>>     total 104K
>>     drwxr-x---.   3 root     keystone 4.0K Oct 28 23:50 .
>>     drwxr-xr-x. 143 root     root      12K Oct 28 12:56 ..
>>     -rw-r-----.   1 root     keystone 1.5K Jul 29 00:21
>>     default_catalog.templates
>>     drwx------.   2 keystone keystone 4.0K Oct 28 23:50 fernet-keys
>>     -rw-r-----.   1 root     keystone  57K Oct 28 23:48 keystone.conf
>>     -rw-r-----.   1 root     keystone 1.1K Jul 29 00:21 logging.conf
>>     -rw-r-----.   1 keystone keystone 8.6K Jul 29 00:21 policy.json
>>     -rw-r-----.   1 keystone keystone  665 Jul 29 00:21
>>     sso_callback_template.html
>>
>>     What am I missing?
>
>     No idea.  When I get into these situations, I use rpdb;
>
>     http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/
>
>
>     Is there anything in /etc/keystone/fernet-keys ?
>
>
>
>>
>>
>>     _______________________________________________
>>     Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>     Post to     :openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>>     Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>     _______________________________________________
>     Mailing list:
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>     Post to     : openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>
>     Unsubscribe :
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20151109/95117843/attachment.html>


More information about the Openstack mailing list